Ignore SSL Certificate in a Servlet

Question

I am getting the following exception:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.pro         


        

Answer 1

Is the website certificate issued by a private/company-owned CA or is it a self-signed?

... new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() ...

• Trustore is null:
  Did you try to load a keystore/file containing the trusted CAs + their chains?
• isTrusted always returning "true":
  You're overriding the standard JSSE certificate verification process and trusting all, so no security at all.
• That exception: means that the certificate verification failed. RootCA, or the whole CA-chain is missing.
  

So it seems like Tomcat ignored your SSLContext. Used like that, the sslContext is useless anyway. Debugging results? JVM SSL settings? Exception stack trace?

Answer 2

You have developed one servlet. Right? It is nothing but a web page. If you want SSL enabled webpage then you must purchase SSL certificate after that install that certificate. If you don't have that certificate then do use above mentioned codes. Above mentioned codes is appropriate for all security issues.

You have to buy the SSL/TSL certificate from companies like Verisign and Thawte.

Answer 3

Try the following code.

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.X509TrustManager;

public class DummyX509TrustManager implements X509TrustManager {

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }

    @Override
    public void checkServerTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
            throws CertificateException {
    }

    @Override
    public void checkClientTrusted(X509Certificate[] paramArrayOfX509Certificate, String paramString)
            throws CertificateException {
    }
};


final TrustManager[] trustAllCerts = new TrustManager[] { new DummyX509TrustManager() };
try {
    SSLContext sslContext= SSLContext.getInstance("SSL"); 
    sslContext.init(null, trustAllCerts, null);

    CloseableHttpClient client = HttpClients.custom()
        .setRedirectStrategy(new LaxRedirectStrategy()) 
        .setSslcontext(sslContext)   
        .setConnectionManager(connMgr)
        .build();
} catch (KeyManagementException e) {
    throw new IOException(e.getMessage());
} catch (NoSuchAlgorithmException e) {
    throw new IOException(e.getMessage());
}